Update: On June 20, 2024, the Belgian presidency postponed yet again the voting on the legislation at short notice because it didn't have a sufficient majority. However, the Chat Control proposal remains on the table at the time of writing.
On Thursday, June 20, 2024, EU lawmakers are set to vote on a proposed law that, if it passes, would require tech companies to scan all your private messages on the lookout for child sexual abuse material (CSAM).
What's known as Chat Control has faced strong criticism since it was first proposed in 2023. Last May, the Belgian presidency attempted to find a compromise by putting together an allegedly watered-down proposal.
According to the revised Chat Control law, users must consent to have their shared photos, videos, and URLs scanned if they want to keep using this functionality. The bill also introduces the concept of 'upload moderation' to, they say, avoid breaking encryption as the content is supposed to be scanned before being encrypted.
Make no mistake—tech experts are not buying it. Cryptographers, privacy advocates, and tech companies, including some of the best VPN and messaging app providers, all deemed the new proposal as a dangerous rebranding that will plunge us all into mass surveillance. They are now urging people in Europe to contact their national representative in the EU and pledge to stop the bill from passing into the next legislative stage.
Just "rhetorical games"
"Let’s be very clear, again: mandating mass scanning of private communications fundamentally undermines encryption. Full stop," Meredith Whittaker, President of the Signal Foundation, wrote in a statement on Monday (see tweet below).
Signal has been vocal against what's previously referred to as 'side-scanning' since the beginning. The company said it would leave the UK instead of undermining encryption—while still figuring in the Online Safety law, it has been halted until it's "feasible to do so." Whittaker reiterated such a stance when EU lawmakers began considering Chat Control last year.
Now, as many other experts, Whittaker pointed out how 'upload moderation' is simply a "rhetorical game" as, no matter how and when the scanning is implemented, it can still create a vulnerability for hackers and hostile nation-states to exploit.
She said: "We ask that those playing these word games please stop and recognize what the expert community has repeatedly made clear. Either end-to-end encryption protects everyone and enshrines security and privacy, or it’s broken for everyone."
📣Official statement: the new EU chat controls proposal for mass scanning is the same old surveillance with new branding.Whether you call it a backdoor, a front door, or “upload moderation” it undermines encryption & creates significant vulnerabilitieshttps://t.co/g0xNNKqquA pic.twitter.com/3L1hqbBRgqJune 17, 2024
Many other security and privacy experts have endorsed her statement so far. These include Edward Snowden, the American whistleblower who first shed light on NSA surveillance tactics on citizens.
He tweeted: "EU apparatchiks aim to sneak a terrifying mass surveillance measure into law despite UNIVERSAL public opposition (no thinking person wants this) by INVENTING A NEW WORD for it—'upload moderation'—and hoping no one learns what it means until it's too late. Stop them, Europe!"
The likes of Proton (the Swiss company behind popular Proton Mail and Proton VPN services), Tuta, Element, Mullvad, and Threema have also warned their online community of the risks, urging EU governments to reject indiscriminate mass scanning.
Chat Control 2.0 isn't the only attempt to give law enforcement more access to EU citizens' data. In yet another anti-encryption crusade, a leaked 42-point plan puts forward new recommendations to make all the digital devices we use every day legally and technically monitorable at all times by law enforcement bodies. "It would mean total surveillance and that Europe's inhabitants carry state spyware in their pockets," said Jan Jonsson, CEO at Mullvad.
Experts have also expressed harsh criticism against the provision of asking users' permission to scan their communications.
"If people cannot use core communications infrastructure without first 'consenting' to mass surveillance then we must understand this as coercive, not an exercise in meaningful choice," Whittaker told TechRadar, adding that the provision doesn't reflect the way detection orders work in law.
Likewise, Matthew Green, Professor of cryptography at Johns Hopkins University, deemed the proposal "coercion into a mass surveillance regime, with some branding."
He also pointed out that focusing only on shared media rather than entire messages might be just a "temporary climbdown" from the original intention. "Their plan appears to be: get the law in place and then it won’t really matter," he wrote in a tweet.
Rand Hindi, CEO of open-source cryptography company Zama, called on the EU's apparent double standards when it comes to data privacy. "Europe is being such a hypocrite here: on the one hand, they force companies to comply with strict privacy regulations (this is good!), but at the same time they are asking for governments to have TOTAL surveillance capabilities," he wrote.
"What’s happening now with Chat Control is a disaster in the making. It is not a hypothetical scenario, it’s one of the most dangerous proposals ever to make it this far, and we should aggressively fight against it."
What's next?
As we mentioned, lawmakers are expected to vote on Chat Control 2.0 on June 20, after being postponed to a day later than the original date.
According to Patrick Breyer, MEP of the German Pirate Party, Italy, Finland, Czech Republic, Sweden, Slovenia, Estonia, Greece, and Portugal are still undecided about tomorrow's vote. In contrast, Germany, Luxemburg, the Netherlands, Austria, and Poland are "relatively clear that they would not go along."
While opposed at the beginning, France appears more inclined to vote in favor at the moment, at the pact that Signal, WhatsApp, and other platforms using end-to-end encryption will be left out of the scope of the law at first. The risks of scanning, however, still remain for the photos and videos you may share on social media DMs, game chats, and similar.
It is also worth noting that legislators plan to exempt staff of intelligence agencies, police, and the military from the CSAM scanning. Moreover, the European Court of Human Rights deemed attempts to break encryption illegal last February.
Now, Breyer urges everyone in Europe to take action before it may be too late. To know more about the steps you can take, I suggest visiting his dedicated page here.
